b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n  AUDIT OF THE INFORMATION TECHNOLOGY\n          SECURITY CONTROLS OF THE\n  U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n          SERENA BUSINESS MANAGER\n                    FY 2013\n                                           Report No. 4A-CI-00-13-023\n\n\n                                           Date:                 July 19, 2013\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n                               U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                -------------------------------------------------------------\n\n               AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n            CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n                          SERENA BUSINESS MANAGER\n                                         FY 2013\n                              --------------------------------\n                                WASHINGTON, D.C.\n\n\n\n\n                                                Report No. 4A-CI-00-13-023\n\n\n                                                 Date:                 July 19, 2013\n\n\n\n\n                                                                                     Michael R. Esser\n                                                                                     Assistant Inspector General\n                                                                                       for Audit\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n                      U.S. OFFICE OF PERSONNEL MANAGEMENT\n                       -------------------------------------------------------------\n\n            AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n         CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n                       SERENA BUSINESS MANAGER\n                                      FY 2013\n                           --------------------------------\n                             WASHINGTON, D.C.\n\n\n\n\n                                    Report No. 4A-CI-00-13-023\n\n\n                                    Date:              July 19, 2013\n\n\n\nThis final audit report discusses the results of the Office of the Inspector General\xe2\x80\x99s (OIG) review\nof the information technology security controls of the U.S. Office of Personnel Management\xe2\x80\x99s\n(OPM) Serena Business Manager (SBM). Our conclusions are detailed in the \xe2\x80\x9cResults\xe2\x80\x9d section\nof this report.\n\nSBM was originally used for software change management control, issue, and defect tracking.\nIn 2004, the Office of the Chief Information Officer (OCIO) recognized an opportunity to use the\ntool for developing administrative support applications for OPM program offices.\n\nCurrently SBM is used by the OCIO to design, develop, test and implement applications used by\nmultiple organizational units within OPM. SBM hosts minor applications that are developed and\ntested using the SBM platform.\n\n\n\n\n                                                   i\n\x0cWe have ongoing concerns about the security of SBM. The system has been hacked twice in the\nlast year, with both breaches leading to the loss of sensitive data. We issued a flash audit alert to\nthe OPM Director on April 8, 2013 (See Appendix II), recommending that all public-facing\nelements of SBM be taken offline until the system could be adequately secured.\n\nIn response to our alert, the Director instructed the OCIO to shut down the public-facing portion\nof the system. The OCIO also developed a corrective action plan to address the SBM security\nflaws (see Appendix III.) We agree with the corrective action plan and will continue to monitor\nthis issue.\n\nIn addition, we documented the following opportunities for improvement:\n\xe2\x80\xa2   SBM does not have a standardized process in place to routinely audit user accounts for\n    appropriate access across all applications within the system; and\n\xe2\x80\xa2   SBM currently does not utilize access agreement forms for the information system.\n\nAs part of this audit, we determined that the following elements of the SBM security program\nappear to be in full compliance with the Federal Information Security Management Act:\n\xe2\x80\xa2 A Security Assessment and Authorization of SBM was completed in December 2012;\n\xe2\x80\xa2 SBM is appropriately assigned a security categorization of \xe2\x80\x9cmoderate\xe2\x80\x9d;\n\xe2\x80\xa2 The SBM System Security Plan contains elements required by NIST SP 800-18 Revision 1;\n\xe2\x80\xa2 A Security Assessment Plan has been documented and tested in FY 2013 with the results\n  incorporated into the Security Assessment Report;\n\xe2\x80\xa2 The OCIO conducted a self-assessment of the security controls of SBM in FY 2012;\n\xe2\x80\xa2 A contingency plan was reviewed, updated and tested for the system in FY 2013;\n\xe2\x80\xa2 A Privacy Impact Assessment was completed for SBM in November 2012;\n\xe2\x80\xa2 The SBM Plan of Action and Milestones (POA&M) follows the format of the OPM POA&M\n  guide, and has been routinely submitted to the OCIO for evaluation; and\n\xe2\x80\xa2 A risk assessment was conducted for SBM in FY 2013 that addresses all the required elements\n  outlined in relevant guidance.\n\n\n\n\n                                                  ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nExecutive Summary ......................................................................................................................... i\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n     I. Security Assessment and Authorization ................................................................................4\n    II. FIPS 199 Analysis ..................................................................................................................4\n   III. System Security Plan .............................................................................................................4\n  IV. Security Assessment Plan and Report ....................................................................................5\n   V. Security Control Self-Assessment ..........................................................................................5\n  VI. Contingency Planning and Contingency Plan Testing ...........................................................6\n VII. Privacy Impact Assessment ....................................................................................................6\nVIII. Plan of Action and Milestones Process ..................................................................................6\n  IX. NIST SP 800-53 Evaluation ...................................................................................................7\n   X. Security Breaches Involving Serena.....................................................................................10\nMajor Contributors to this Report ..................................................................................................11\n\n\n    Appendix I:            OCIO\xe2\x80\x99s April 9, 2013 response to the draft audit report, issued March 1, 2013\n    Appendix II: OIG\xe2\x80\x99s April 8, 2013 Flash Audit Alert \xe2\x80\x93 Information System Security at the\n                 U.S. Office of Personnel Management\n    Appendix III: OCIO\xe2\x80\x99s April 10, 2013 Response to the Flash Audit Alert issued April 8, 2013\n\x0c                                        Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we evaluated the information technology\n(IT) security controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Serena Business\nManager (SBM).\n\n                                        Background\nSBM is one of OPM\xe2\x80\x99s critical IT systems. As such, FISMA requires that the Office of the\nInspector General (OIG) perform an audit of IT security controls of this system, as well as all of\nthe agency\xe2\x80\x99s systems on a rotating basis. OPM\xe2\x80\x99s Office of the Chief Information Officer (OCIO)\nhas ownership and managerial responsibility of the SBM system and is also responsible for IT\ndevelopment, support, and maintenance of the system. SBM resides on the OPM Local Area\nnetwork/Wide Area Network (LAN/WAN) in the Development/Test and Production (DTP)\nenvironment.\n\nSerena Business Manager (formerly called TeamTrack) was originally purchased for software\nchange management control, and issue/defect tracking. After the acquisition of TeamTrack, it\nwas realized that the software provided the OCIO the capability to develop administrative\napplications for a fraction of the cost of developing custom applications.\n\nIn 2004, the OCIO recognized an opportunity to use the tool for developing administrative\nsupport applications for other OPM program offices. There were many existing administrative\nsupport tracking systems throughout OPM that were originally built using various technologies\nsuch as MS Access, Powerbuilder, and Coldfusion. Reengineering these systems as SBM\napplications provided the OCIO an opportunity to build and maintain these applications in one\nenvironment where applications shared one browser interface, common software components,\nand one single place to manage user access and application security.\n\n                                         Objectives\nOur objective was to perform an evaluation of the security controls for SBM to ensure that OCIO\nofficials have implemented IT security policies and procedures in accordance with standards\nestablished by FISMA, the National Institute of Standards and Technology (NIST), and OPM\npolicy.\n\nOPM\xe2\x80\x99s IT security policies require managers of all major information systems to complete a\nseries of steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2)\nauthorize the system for operations. The audit objective was accomplished by reviewing the\ndegree to which a variety of security program elements have been implemented for SBM,\nincluding:\n\n\n\n                                                1\n\x0c\xe2\x80\xa2   Security Assessment and Authorization;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   System Security Plan;\n\xe2\x80\xa2   Security Assessment Plan and Report;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2   Privacy Impact Assessment;\n\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\xe2\x80\xa2   NIST Special Publication (SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of OCIO personnel\nresponsible for SBM, including IT security controls in place as of February 2012.\n\nWe considered the SBM internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives of OPM\xe2\x80\x99s OCIO and other\nindividuals with SBM security responsibilities. We reviewed relevant OPM IT policies and\nprocedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we\nconducted compliance tests to determine the extent to which established controls and procedures\nare functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of SBM\nare located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily disclose\nall significant matters in the internal control structure, we do not express an opinion on the SBM\nsystem of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\xe2\x80\xa2   OPM Information Security and Privacy Policy Handbook;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems;\n\n\n                                                 2\n\x0c\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations;\n\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\xe2\x80\xa2   Federal Information Processing Standards Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from November 2012\nthrough February 2013 in OPM\xe2\x80\x99s Washington, D.C. office.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OCIO management of SBM is\nconsistent with applicable standards. Nothing came to the OIG\xe2\x80\x99s attention during this review to\nindicate that the OCIO is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\x0c                                           Results\n I. Security Assessment and Authorization\n    A Security Assessment and Authorization (SA&A) of SBM was completed in December\n    2012.\n\n    OPM\xe2\x80\x99s Chief Information Officer reviewed the SBM SA&A package and signed the\n    system\xe2\x80\x99s authorization memorandum on December 19, 2012.\n\n    NIST SP 800-37 Revision 1 \xe2\x80\x9cGuide for Applying Management Framework to Federal\n    Information Systems,\xe2\x80\x9d provides guidance to federal agencies in meeting security\n    accreditation requirements. The SBM SA&A appears to have been conducted in\n    compliance with NIST requirements.\n\nII. FIPS 199 Analysis\n    Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems, requires federal agencies\n    to categorize all federal information and information systems in order to provide\n    appropriate levels of information security according to a range of risk levels.\n\n    NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories, provides an overview of the security objectives and\n    impact levels identified in FIPS Publication 199.\n\n    The SBM FIPS 199 Security Categorization Template analyzes information processed by\n    the system and its corresponding potential impacts on confidentiality, integrity, and\n    availability. SBM is categorized with a moderate impact level for confidentiality,\n    moderate for integrity, moderate for availability, and an overall categorization of\n    moderate.\n\n    The security categorization of SBM appears to be consistent with FIPS 199 and NIST SP\n    800-60 requirements, and the OIG agrees with the categorization of moderate.\n\nIII. System Security Plan\n    Federal agencies must implement on each information system the security controls\n    outlined in NIST SP 800-53 Revision 3, Recommended Security Controls for Federal\n    Information Systems and Organizations. NIST SP 800-18 Revision 1, Guide for\n    Developing Security Plans for Federal Information Systems, requires that these controls\n    be documented in a System Security Plan (SSP) for each system, and provides guidance\n    for doing so.\n\n    The SSP for SBM was created using the template outlined in NIST SP 800-18. The\n    template requires that the following elements be documented within the SSP:\n    \xe2\x80\xa2   System Name and Identifier;\n    \xe2\x80\xa2   System Categorization;\n\n\n                                               4\n\x0c    \xe2\x80\xa2   System Owner;\n    \xe2\x80\xa2   Authorizing Official;\n    \xe2\x80\xa2   Other Designated Contacts;\n    \xe2\x80\xa2   Assignment of Security Responsibility;\n    \xe2\x80\xa2   System Operational Status;\n    \xe2\x80\xa2   Information System Type;\n    \xe2\x80\xa2   General Description/Purpose;\n    \xe2\x80\xa2   System Environment;\n    \xe2\x80\xa2   System Interconnection/Information Sharing;\n    \xe2\x80\xa2   Laws, Regulations, and Policies Affecting the System;\n    \xe2\x80\xa2   Security Control Selection;\n    \xe2\x80\xa2   Minimum Security Controls; and\n    \xe2\x80\xa2   Completion and Approval Dates.\n\n    The SBM SSP adequately addresses each of the elements required by NIST.\n\nIV. Security Assessment Plan and Report\n    A Security Assessment Plan (SAP) and Security Assessment Report (SAR) were\n    completed for SBM in November and December 2012 respectively as a part of the\n    system\xe2\x80\x99s SA&A process. We reviewed the document to verify a risk assessment was\n    conducted in accordance with NIST SP 800-30, Risk Management Guide for Information\n    Technology Systems. We also verified that appropriate management, operational, and\n    technical controls were tested for a system with a \xe2\x80\x9cmoderate\xe2\x80\x9d security categorization\n    according to NIST SP 800-53 Revision 3, Recommended Security Controls for Federal\n    Information Systems and Organizations.\n\n    The SAP assessment results table labeled each security control as fully satisfied, partially\n    satisfied, not satisfied or not applicable. The SAR identified 23 total control weaknesses.\n    The SBM Plan of Action and Milestones (POA&M) describes the corrective measures\n    that have been implemented or are planned to address these weaknesses.\n\n    Nothing came to our attention to indicate that the security controls of SBM have not been\n    adequately tested.\n\nV. Security Control Self-Assessment\n    FISMA requires that the IT security controls of each major application owned by a\n    federal agency be tested on an annual basis. In the years that an independent security\n    controls test is not conducted on the system, the system\xe2\x80\x99s owner must conduct an internal\n    self-assessment of security controls.\n\n    A partial-scope vulnerability assessment was conducted on the SBM system in August\n    2012. The assessment included a review of a subset of management, operational, and\n    technical security controls outlined in NIST SP 800-53 Revision 3. Nothing came to our\n    attention to indicate that the security controls of SBM have not been adequately tested by\n    the OCIO.\n\n\n\n                                                 5\n\x0c VI. Contingency Planning and Contingency Plan Testing\n      NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective\n      contingency planning, execution, and testing are essential to mitigate the risk of system\n      and service unavailability. OPM\xe2\x80\x99s security policies require all major applications to have\n      viable and logical disaster recovery and contingency plans, and that these plans be\n      annually reviewed, tested, and updated.\n\n      Contingency Plan\n      The SBM contingency plan documents the functions, operations, and resources necessary\n      to restore and resume SBM operations when unexpected events or disasters occur. The\n      SBM contingency plan closely follows the format suggested by NIST SP 800-34 and\n      contains a majority of the suggested elements.\n\n      Contingency Plan Test\n      NIST SP 800-34, Contingency Planning Guide for Information Technology, provides\n      guidance for testing contingency plans and documenting the results. Contingency plan\n      testing is a critical element of a viable disaster recovery capability.\n\n      A simulated \xe2\x80\x9ctable top\xe2\x80\x9d test of the SBM contingency plan was conducted in June 2010.\n      The testing documentation contained an analysis and review of the results. We reviewed\n      the testing documentation to determine if the test conformed with NIST 800-34\n      guidelines.\n\nVII. Privacy Impact Assessment\n      FISMA requires agencies to perform a screening of federal information systems to\n      determine if a Privacy Impact Assessment (PIA) is required for that system. OMB\n      Memorandum M-03-22 outlines the necessary components of a PIA. The purpose of the\n      assessment is to evaluate any vulnerabilities of privacy in information systems and to\n      document any privacy issues that have been identified and addressed.\n\n      On November 1, 2012 a PIA was conducted on SBM that was based on the guidelines\n      contained in OPM\xe2\x80\x99s PIA Guide. The PIA was reviewed by OPM\xe2\x80\x99s Chief Privacy Officer\n      and Chief Information Officer.\n\nVIII. Plan of Action and Milestones Process\n      A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n      monitoring the progress of corrective efforts for IT security weaknesses. OPM has\n      implemented an agency-wide POA&M process to help track known IT security\n      weaknesses associated with the agency\xe2\x80\x99s information systems.\n\n      The SBM POA&M follows OPM\xe2\x80\x99s standard template and has been routinely submitted\n      to the OCIO for evaluation. The OIG verified that weaknesses identified as a result of\n      the SA&A security control testing and vulnerability scanning have been documented on\n      SBM\xe2\x80\x99s system POA&M.\n\n\n                                                  6\n\x0cIX. NIST SP 800-53 Evaluation\n    NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations, provides guidance for implementing a variety of security\n    controls for information systems supporting the Federal government. As part of this\n    audit, we evaluated 40 of these security controls from the following families:\n    \xe2\x80\xa2   Access Control;\n    \xe2\x80\xa2   Audit and Accountability;\n    \xe2\x80\xa2   Security Assessment and Authorization;\n    \xe2\x80\xa2   Configuration Management;\n    \xe2\x80\xa2   Contingency Planning;\n    \xe2\x80\xa2   Identification and Authentication;\n    \xe2\x80\xa2   Planning;\n    \xe2\x80\xa2   Personnel Security;\n    \xe2\x80\xa2   Risk Assessment; and\n    \xe2\x80\xa2   System and Information Integrity.\n\n    These controls were evaluated by interviewing individuals with SBM security\n    responsibility, reviewing documentation and system screenshots, viewing demonstrations\n    of system capabilities, and conducting tests directly on the system.\n\n    Although it appears that the majority of NIST SP 800-53 Revision 3 security controls\n    have been successfully implemented for SBM, several tested controls were not fully\n    satisfied.\n\n    a) AC-6 Least Privilege\n        NIST SP 800-53 Revision 3 requires that \xe2\x80\x9cThe organization employs the concept of\n        least privilege, allowing only authorized users (and processes acting on behalf of\n        users) which are necessary to accomplish assigned tasks in accordance with\n        organization missions and business functions.\xe2\x80\x9d\n\n        SBM does not have a standardized process in place to routinely audit user accounts\n        for appropriate access across all applications on the system. Currently, the owners of\n        all of the various applications within SBM use their own process to audit user account\n        access. The methodology to audit user accounts varies greatly from application to\n        application.\n\n        Failure to implement a standardized process to audit user accounts for appropriate\n        access increases the likelihood of an unauthorized user having access to protected\n        organizational information.\n\n        Recommendation 1\n        We recommend the OCIO reevaluate its current methodology and implement a\n        standardized process for auditing user account access across all applications for SBM.\n\n\n\n                                                 7\n\x0c   OCIO Response:\n   \xe2\x80\x9cThe Report noted that SBM does not have a standardized process in place to\n   routinely audit user accounts for appropriate access across all applications on the\n   system. The following actions have been taken to address the weakness.\n\n   \xe2\x80\xa2   CIO is currently working on a standardized process to track all account\n       requests to SBM application. CIO will also include a process to review current\n       SBM account access and take corrective actions as needed. This will be\n       performed on a regular basis.\n       o Specifically, we are currently collecting account data needs to ensure the\n           system owners/administrators are getting the audit results they need and to\n           confirm who is or is not authorized account access. This also would resolve\n           the separation of duties issue where we collect the raw logs and then provide\n           them to the System Owner/Admin for review/validation.\n   \xe2\x80\xa2   As an interim solution, the DSO/managed administrators will create requests in\n       the SBM ACTS application to track requests. All external users have\n       agreements which are now being uploaded to the CIO CMS system. The\n       assigned Rules of Behavior and the fax copy of the access request are also\n       being uploaded.\n   \xe2\x80\xa2   In the long-term, we will work with the NM Help Desk; modifying the 1665 so\n       that the Help Desk can field account requests and collect sufficient information\n       to establish new accounts.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCIO provide Internal\n   Oversight and Compliance (IOC) with evidence supporting the remediation of the\n   recommendation.\n\nb) PS-6 Access Agreements\n   NIST SP 800-53 Revision 3 states that the organization \xe2\x80\x9censures that individuals\n   requiring access to organizational information and information systems sign\n   appropriate access agreements prior to being granted access\xe2\x80\x9d and \xe2\x80\x9creviews and\n   updates the access agreements.\xe2\x80\x9d\n\n   SBM currently does not utilize access agreement forms when granting individuals\n   access to the information system. Currently, users who require access to SBM\n   applications send an e-mail request to the Designated Security Officer. This current\n   process makes it very difficult to find an individual\xe2\x80\x99s access request when necessary\n   and to audit user accounts for appropriate access as previously discussed in section\n   AC-6, Least Privilege.\n\n   Failure to use, review, and update access agreement forms increases the risk of an\n   unauthorized user gaining access to private and proprietary organizational\n   information.\n\n\n\n\n                                           8\n\x0c   Recommendation 2\n   We recommend the OCIO implement the use of access agreement forms when\n   granting individuals access to SBM, review the forms on a routine basis, and update\n   them when necessary.\n\n   OCIO Response:\n   \xe2\x80\x9cThe Report noted that SBM does not utilize access agreement forms when\n   granting individuals access to the information system. Users who require access\n   send an email request to the DSO. The current process makes it difficult not only\n   to find individual access requests, but also audit user accounts to ensure\n   appropriate access. The following action has been taken to address the weakness.\n\n   \xe2\x80\xa2   OCIO uses the 1665 form for both AD access and access to specific\n       applications. The reconciliation between the 1665 authorization for access and\n       the log files of actual account access should be occurring at the System level\n       where System Owner/Administrators grant authorized access according to their\n       program requirements.\n       o OCIO will develop a continuous monitoring solution to provide system\n           owners with regular reports on account access for their audits of account\n           access.\n   \xe2\x80\xa2   SBM uses Active Directory authentication and all access is tied to LAN/WAN\n       accounts. The new process that is currently being designed (described as an\n       interim solution in section AC-6 above) will remediate this problem. The long-\n       term intent is to incorporate standard data collection form/processes for\n       Serena.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCIO provide IOC\n   with evidence supporting the remediation of the recommendation.\n\nc) RA-5 Vulnerability Scanning\n   NIST SP 800-53 Revision 3 states that the organization \xe2\x80\x9cscans for vulnerabilities in\n   the information system and hosted applications\xe2\x80\x9d and \xe2\x80\x9cremediates legitimate\n   vulnerabilities in accordance with organizational assessment of risk.\xe2\x80\x9d\n\n   The SBM information system resides on a server in OPM\xe2\x80\x99s LAN/WAN environment.\n   The OCIO\xe2\x80\x99s Network Security Branch (NSB) conducts routine vulnerability scanning\n   and reports the results to the system owner. After reviewing the report of SBM\xe2\x80\x99s\n   most recent vulnerability scan, we identified several major weaknesses that have not\n   been remediated. We contacted NSB and SBM personnel and discovered that this\n   was a known vulnerability on several servers in the environment.\n\n   There is currently a project in place to remediate the vulnerabilities and employ\n   Defense Information Systems Agency: Security Technical Implementation Guide\n   (DISA STIG) compliant configuration settings on all affected servers.\n\n\n\n                                           9\n\x0c       The OIG will follow-up on the status of the implementation project during the FY\n       2013 General FISMA Audit, and no recommendation will be issued as part of this\n       report.\n\n       OCIO Response:\n       \xe2\x80\x9cThe Report noted that the OIG review of [the] most recent vulnerability scan\n       identified several major weaknesses that required remediation, but that there is\n       currently a project to remediate the vulnerabilities and employ Defense Information\n       Systems Agency: Security Technical Implementation Guide (DISA STIG)\n       compliant configuration.\n\n       CIO currently has scheduled vulnerability scanning on the network. This will be\n       expanded to all web applications.\xe2\x80\x9d\n\nX. Security Breaches Involving Serena\n   In May 2012, a malicious hacker successfully breached SBM and obtained sensitive data.\n   The system was briefly taken down by the OCIO, but was quickly restored and made\n   available on the public Internet.\n\n   As mentioned in section IX above, NSB routinely conducts vulnerability scans on the\n   technical infrastructure supporting SBM. The OIG also issued an audit recommendation\n   in FY 2012 that the OCIO routinely audit Oracle database configurations for compliance\n   with an approved baseline (Report No. 4A-CI-00-12-016 Recommendation 3). However,\n   it appears that no action was taken to address the concerns raised by NSB or the OIG, as\n   SBM was breached again in March 2013, again leading to the loss of sensitive data.\n\n   These attacks exploited weaknesses that were already known to OCIO personnel, and it is\n   our opinion that the system should not have been placed back online in this insecure state.\n   Our independent test work indicated that the servers and databases supporting SBM\n   continued to operate with critical vulnerabilities as of March 20, 2013. Therefore, we\n   issued a flash audit alert to the OPM Director on April 8, 2013 recommending that all\n   public-facing elements of SBM be taken down until the system could be adequately\n   secured.\n\n   In response to our alert, the Director instructed the OCIO to shut down the public-facing\n   portion of the system and develop a corrective action plan to quickly address the SBM\n   security flaws (see Appendix III.) We agree with the corrective action plan and will\n   continue to monitor this issue.\n\n\n\n\n                                               10\n\x0c                      Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of\nInspector General, Information Systems Audits Group. The following individuals\nparticipated in the audit and the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2                    IT Auditor\n\n\n\n\n                                          11\n\x0c                                    Appendix I\n                                      April 9, 2013\n\n\n\n\nMEMORANDUM FOR\n                        CHIEF INFORMATION SYSTEMS AUDIT GROUP\n\nTHROUGH:\n                        ACTING CHIEF INFORMATION OFFICER\n\nTHROUGH:\n                        DEPUTY CHIEF INFORMATION OFFICER FOR\n                        OPERATIONS\n\nFROM:\n                        DIRECTOR, APPLICATION SYSTEMS\n\nSubject:                Audit of the Information Technology Security Controls of the\n                        U.S. Office of Personnel Management\xe2\x80\x99s Serena Business\n                        Manager (Report No. 4A-CI-00-13-023)\n\n\nThank you for the opportunity to provide comments on the Draft Audit Report for Serena\nBusiness Manager. Our comments are directed specifically towards Results Section IX,\nNIST SP 800-53 Revision 3 Evaluation. The Draft Report identifies several tested\nsecurity controls that were not fully satisfied during the course of the audit.\n\nAC-6 Least Privilege\n\nThe Report noted that SBM does not have a standardized process in place to routinely\naudit user accounts for appropriate access across all applications on the system. The\nfollowing actions have been taken to address the weakness.\n\n   \xe2\x80\xa2   CIO is currently working on a standardized process to track all account requests\n       to SBM application. CIO will also include a process to review current SBM\n       account access and take corrective actions as needed. This will be performed on a\n       regular basis.\n           o Specifically, we are currently collecting account data needs to ensure the\n               system owners/administrators are getting the audit results they need and to\n               confirm who is or is not authorized account access. This also would\n               resolve the separation of duties issue where we collect the raw logs and\n               then provide them to the System Owner/Admin for review/validation.\n\x0c   \xe2\x80\xa2   As an interim solution, the DSO/managed administrators will create requests in\n       the SBM ACTS application to track requests. All external users have agreements\n       which are now being uploaded to the CIO CMS system. The assigned Rules of\n       Behavior and the fax copy of the access request are also being uploaded.\n   \xe2\x80\xa2   In the long-term, we will work with the NM Help Desk; modifying the 1665 so\n       that the Help Desk can field account requests and collect sufficient information to\n       establish new accounts.\n\nPS-6 Access Agreements\n\nThe Report noted that SBM does not utilize access agreement forms when granting\nindividuals access to the information system. Users who require access send an email\nrequest to the DSO. The current process makes it difficult not only to find individual\naccess requests, but also audit user accounts to ensure appropriate access.. The following\naction has been taken to address the weakness.\n\n   \xe2\x80\xa2   OCIO uses the 1665 form for both AD access and access to specific applications.\n       The reconciliation between the 1665 authorization for access and the log files of\n       actual account access should be occurring at the System level where System\n       Owner/Administrators grant authorized access according to their program\n       requirements.\n           o OCIO will develop a continuous monitoring solution to provide system\n               owners with regular reports on account access for their audits of account\n               access.\n   \xe2\x80\xa2   SBM uses Active Directory authentication and all access is tied to LAN/WAN\n       accounts. The new process that is currently being designed (described as an\n       interim solution in section AC-6 above) will remediate this problem. The long-\n       term intent is to incorporate standard data collection form/processes for Serena.\n\nRA-5 Vulnerability Scanning\n\nThe Report noted that the OIG review of most recent vulnerability scan identified several\nmajor weaknesses that required remediation, but that there is currently a project to\nremediate thee vulnerabilities and employ Defense Information Systems Agency:\nSecurity Technical Implementation Guide (DISA STIG) compliant configuration.\n\nCIO currently has scheduled vulnerability scanning on the network. This will be\nexpanded to all web applications.\n\n\nIf there are additional questions, please contact               at                .\n\x0c                                                                Appendix II\n\n                                         UNIT ED STATES O FFICE O F PERSO NNEL MANAG EMENT\n                                                               W.ll ~h i n g lOn .   IX\' 204 1!i\n\n    I) l h.:C\' " I tho:\'\nI n\' m l....( ;cncf lll\n                                                                   April 8.2013\n\n\n\n          M EM ORA NDUM FO R JOHl\' BERRY\n                             Direct or\n\n          FROM :                                  PAT RICK E. McFARLAND\n                                                  Inspector General\n\n          S UBJECT :                             Flash A udit Alert lnformation System Security at the\n                                                                      -c\n\n\n\n\n                                                 U.S. Office o f Perso nnel Mana gem ent\n\n          The U.S. Office of Personnel Management (OPM) Office of the Inspector General (DIG) is\n          iss uing th is nash au dit a lert to brin g to your immediate atten tion seri ous co ncerns we have\n          regard ing informatio n system security at OPM.\n\n          In M ay 20 12. a malic ious hacker succe ssfully breached O PM \' s Serena Bu siness Manager system\n          (Serena. formerly known as TeamT rack). The system was briefly taken down by OPM \' s Office\n          of the Ch ief Information Officer (OCIO) , but was quickly restored and made available on the\n          public Intern et.\n\n          Ov er the pas t year. the a C ID \'s Net work Securi ty Branch has conducted vu lne rability scans that\n          detected se curity flaws in the Se rena system . However. it appears that no ac tio n was taken by\n          the system ad mi nistrators to add ress these iss ues, as an other application o n the Serena platfo rm\n          was hacked in March 20 13. After both securi ty breaches. the hackers boasted on the Internet\n          about comprom ising a gove rnment computer syste m. leading to embarrass ing publicity fo r O PM .\n\n          As pan of our recen t a udit of Sere na. we conducted independent tes ting o f this system and\n          determined that critical sec urity flaws co ntinue to exist on both the servers and the da tabas es\n          supporting thi s sy stem. As a sho rt te rm action. we recommend that y ou order att Internet\n         l acing           elt ~men lS   of Serena to be taken down until the system can be adequately securell .\n\n          Unfortuna tely, o ur co nce rns are not lim ited to the Serena system, an d we belie ve this issue is\n          indicative of a sy stem ic problem at OPM . It is o ur understanding tha t Serena an d many o ther\n          O PM systems o pe rate in a " deve lopment" en vironment an d therefore have never been subject to\n          the tho rough security and functio nality testin g tha t a production system should receive.\n\n\n\n\n           . . . . . DI... . ." .\n\x0c                                        Ap pendix II\n\n\n\nHonorable John Berry                                                                            2\n\nWe will continue to perform audit work related to these concerns. with a focus on the security of\nInternet facing systems hosted in the "development" environment. We will provide you with\nadditional details in two forthcoming final aud it reports:\n\xe2\x80\xa2\t Audit of the Information Technology Security Controls of Serena Business Manager (to be\n   issued in April 2013 )\n\n\n\n                                               a_\n\xe2\x80\xa2\t Fede ral Information Sec urity Mana gement Act Audit - FY 20 13 (to be issued in November\n   20 13)\n\nIf you have any questions you can contact me.              or a member of your staff may\ncontact Michael Esser. Assistant Inspector General for Audits. a_       .\n\x0c                                           Appendix III\n\n                    UN ITED STATE S OFFICE        or rER S O N ~ [ L M r\\ NAGEM ENT\n                                           Wa\' hJnglun . [X \' :!IN I\'\n                                               AI\'fI 10 IOU\n\n\nMEMORANDUM FOR :                PATR IC K E. MCFA RLAND\n                                Inspector General\n\nmOM :\n                                JOHN   IlERRzt\n                                Director\n                                          \xc2\xb7\n\nSU BJ ECT :                     Response to          F     h Audit Alen   April R. 201 ]\n\n\nTh ank yo u for bringing th is matter 10 my immediate attention. In response. Chuck Simpson.\n                                l1Il~ from the\' Office u f the Chief Information O ffice r\n(OC IO ) met with Michael Esser                                   from your staff. on April 9,\n20 13. to clarify the information system security issues. They mutual ly agreed on the following\nactions :\n\n     I )\t The external-facing access point to the Internet was disabled for all the: Serena Business\n          Manager (S OM) applications as of 5:00 pm Apri l 9;\n\n     2)\t The applications on S BM would remai n available to internal O PM users;\n\n     3}\t OCIO and 10 staffs will work ccllabcratively to review and remcd iate SBM platforms\n         and applications. based on a phased approach. in orde r to reopen the access 10 external\n         users as qu ickly as po ssible; and\n\n     4)\t UCIO a nd 10 sta ffs will work together to identify any other sites internal to a PM and\n          remcdiate.\n\n We will contin ue to monitor th e work on this issue . If you ha ve any questions please call Chuck\nS impson. Act ing Chief Inform atio n Officer. at               . or emai l hi m at\n(t    I     I\'   \xe2\x80\xa2 I l\'   I\'\n\n\n\n\n---\n\x0c'